General Data Protection Regulation: What Kenyans Need to Know

In about a month, this new law will be in place and may change how you deal with your customers’ data or how you use your social media platforms. If you’ve noticed, you probably have several emails from your favorite social media platform on change of their terms and conditions. You probably didn’t read them, but, this law is likely why they sent you that email.

The General Data Protection Regulation

The General Data Protection Regulation commonly referred to as GDPR is a law from the European Union which seeks to strengthen and unify data protection for individuals across the European Union. The new laws will be directly applicable in all EU member states.

Kenya isn’t part of the European Union and so at face value, the GDPR wouldn’t apply to you or I, but wait, it may.

The GDPR will replace the current Data Protection Directive and enters into force on 25 May 2018.

The GDPR aptly states that, ‘the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.’

What is Personal Data

The GDPR applies to Personal Data which is defined as: – any information relating to an identified or identifiable natural person (‘data subject’);

An identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This would mean that information is not personal data if there is no way to link it to a person. Further the definition now includes biometric, genetic, health information and online identifiers.

Personal Data Principles

The principles of data protection should apply to any information concerning an identified or identifiable natural person. The GDPR outlines a set of privacy principles to guide organizational management of data.

Lawfulness, fairness and transparency – the data subject must be told what processing will occur.

Purpose limitation – the data may be collected for specified, explicit and legitimate purpose.

Data minimization – personal data collected and/or processed should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy – personal data should be accurate and where applicable and necessary, kept up to date.

Storage Limitation – personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

Integrity and Confidentiality – organizations are expected to process personal data in a manner that ensures apt security of the personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Key Impact of the GDPR on Territorial scope

The GDPR catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to or monitoring the behaviour (within the EU) of, EU data subjects.

This is of key importance for tech service providers or other service providers who give services to ANY European individual. This effectively means that you need to be GDPR compliant if you have even a single European customer.

One of the things you’d need if an organization based outside the EU, includes the need to appoint a representative in the EU by nomination in writing.

The new law now has extraterritorial reach and will catch companies who didn’t need to concern themselves earlier. The regulation applies to any company serving people within the EU, regardless of whether their business is based in or outside the bloc.

Additionally, there may be other local and/or sector specific laws and regulations which organizations would have to take into account.

The Kenyan Position on Data Protection

As you may already know, Kenya has no law on data protection which would protect your privacy and information. Case in point, elections. You probably received a message from a certain Mhesh whose poster you probably never saw to start with or a leading political party that you never signed up to. How did they get your number? No idea, me neither.

First suspects would probably be all those buildings which ask you to write all your government names, ID Number, phone number, vehicle registration number, where you’re coming from, where you’re going to, who you’re going to see and why you’re going to see them. The truth of the matter is there is a lot of personal information that trades hands. The unfortunate reality however, is that for most of these data controllers, that they sell your data is not illegal. There is no law which prohibits them from doing this. Only telecommunications operators and tech companies licensed by the Communications Authority are bound by the law on management of users’ data. Anyone else, they can really do anything with it.

The Constitution gives an overarching provision that gives you the right of privacy including that your communications be not interfered with, but that’s it. Per the ICT Policy (draft), the Government is expected to develop data protection legislation that ensures the protection of the confidentiality and integrity of citizens’ information. This legislation is foreseen to provide for collection, use, retention, security and disclosure of such information, including disclosure to law enforcement agencies.

Need a Data Protection Law

Europe is woke as we like to say, and the GDPR will definitely ruffle many feathers. But Companies are complying, and this goes to show the need and importance for a Kenyan data protection law. Your information is worth billions, (well, when put altogether).

Data is the crux of big data solutions, the fuel that runs several tech companies globally because it helps them know what ads you should be shown. The potential of your data includes identification of what illnesses you could suffer from, whether you’re creditworthy from how many times you okoa jahazi or ask a friend for a ka loan to social engineering and subconsciously influencing who you vote for.

The GDPR is timely, its unfortunate it is limited to Europeans only but perhaps the obligatory compliance will lead other States to consider introducing law on data protection or perhaps encourage Tech companies to treat all its users as Europeans using the GDPR as a standard like Facebook has recently opined.

Disclaimer: The GDPR is a comprehensive and wide law, this is but the tip of the iceberg on how it will affect you. As such, this should not be treated as comprehensive legal advice, simply an opinion. Techweez therefore takes no liability for actions taken based on this article and any consequential losses or accruing liability.

'I speak legalese, understand the tech and hack the law.'
June Okal is a legal professional in Technology, Media and Telecommunications Law Practice and Co - Organizer of Nairobi Legal Hackers. Her focus areas are Innovation, Intellectual Property and Internet Governance.